1 global relay 7 may 2013 best practices for mutual fun dealers: archiving, data protection &...

1

Global Relay

7 May 2013

Best Practices for Mutual Fun Dealers:Archiving, Data Protection & Compliance in a social world

2

AgendaMESSAGE ARCHIVING & REGULATORY COMPLIANCE

1. The Marriage Between Technology & Compliance Message Archiving – It’s not just about email… Understanding your Requirements Privacy Laws & Data Protection Social Media

2. Due Diligence on Engaging a Vendor Understanding Message Processing – You are Accountable Know Your Vendor; SAS 70 & internal controls

3. Leveraging Your Archive Audit & Litigation Readiness Business Continuity & Disaster Recovery Employee Access from Web, Outlook, BlackBerry & iPhone

4. Q & A

Global Relay Communications Inc - Proprietary & Confidential

3

14th year of delivering Software-as-a-Service in a secure private cloud Core competency: Message Archiving, Compliance, & eDiscovery Team of 215 + employees; more than 100+ developers; strong Legal/Audit team 16,000 customers, 95% in the financial services sector Serving Broker-Dealers, Investment Advisors, Hedge Funds, Private Equity & Banks, Mutual Funds Offices in major financial centers worldwide, providing 24x7x365 support:

Global Relay is the Message Archiving Vendor in FINRA’s Compliance Resource Provider Program

Vancouver

New York

London

Singapore

Hong KongChicago

Copyright © 1999-2013 Global Relay Communications Inc. Confidential & Proprietary. All Rights Reserved. Not to be reproduced or distributed without permission.

About Global RelayCANADIAN OWNED AND OPERATED

100% Canadian Owned & Operated

4

Global Relay AwardsRECOGNITION AND ACCOLADES

2011, 2012

Top 200 ranking for 2012 & 2011 on Deloitte Fast 500 – the fastest-growing technology companies in North America

Warren Roy named BC CEO of the Year for 2012 by Business In Vancouver magazine – recognizing outstanding Business Strategy, Financial performance, People Development, Innovation &Social Responsibility/Sustainability

Recognized as one of the Top 10 Best Companies to Work For in British Columbia by BC Business Magazine for 2012 and 2011

Ranked among Largest Software Companies and Fastest Growing Companies in BC by Business in Vancouver magazine for 2012 and 2011

Shannon Rogers, President & General Counsel ranked#1 for 2011 on PROFIT magazine’s list of Top 100 Female Entrepreneurs in Canada


5

Positioned as a “Challenger” in 2012 Gartner Magic Quadrant for Enterprise Information Archiving:

Rated extremely high on “ability to execute”Quote: “Customers indicate extremely high satisfaction with Global Relay's service, in part due to the company's focus on technology: 50% of Global Relay's employees are developers and all code is written internally.”

Analyst RecognitionINDUSTRY ANALYSTS’ EVALUATION OF GLOBAL RELAY

Rated “Excellent” or “Very Good” on 8 of 10 criteria inQ3 2011 Market Overview: SaaS Message Archiving(Forrester Wave for for SaaS archiving was discontinued)

Most recent Forrester Wave for Software-as-a-Service Message Archiving (2008): Global Relay positioned as a “Strong Performer”Quote: “Global Relay’s offering features broad message capture options, very good support for Bloomberg messaging environments, and strong supervision functionality.”

Gartner Magic Quadrant for Enterprise Information Archiving – published December, 2012


1) The Marriage Between Technology & Compliance

Message Archiving – It’s not just about email…Understanding your RequirementsPrivacy Laws & Data ProtectionSocial Media

6Global Relay Communications Inc - Proprietary & Confidential

7

Global Relay ArchiveIT’S NOT JUST ABOUT EMAIL . . .


o Message archiving solutions require: Archiving of all message types (Recordkeeping) Supervisory controls: typically random sampling & keyword flagging

o Note! Ensure employees understand not to use personal messaging (e.g. Gmail) for business correspondence

8

The Big PictureMESSAGE ARCHIVING & REGULATORY COMPLIANCE

o Preserving “who said what, when” to address: MFDA, IIROC, litigation, internal & investor issues

o Understand your requirements Determine what message types are allowed & prohibited in your

business Determine what to do on day 1 of your registration

Archive on a going-forward basis?• Legacy messaging is subject to court subpoena & discovery

Import all legacy messaging including PSTs?• Ensure a single location for eDiscovery• Note! Migrating PST & legacy messages from archiving

servers requires reconciliation, metadata & chain of custody documentation

Supervision & Recordkeeping Rules, retention terms, legal holds and business requirements are complex and may conflict


9

Unified Archive for any Message Type

Importer Buffer (30 days)

On-PremiseArchive

SM

TP

(T

LS

) E

xte

rna

l D

eliv

ery

FileDownloader

XML > XCF

XCF > EML

API Downloader

Database

JSON > EML

AppDownloader

JSON

JSON > EML

Glo

bal

Rel

ayC

ust

om

erU

sers

Jour

na

l SS

L/T

LS

IMA

P /

SM

TP

SM

TP

Gro

up D

eliv

ery

XM

PP

/ H

TT

PS

XM

L

RE

ST

/HT

TP

S

OA

uth

JSO

N /

SS

L

SM

TP XMPP > EML

HT

TP

S

Message Routing

SM

TP

Global Relay Archive

SMTP

Mes

sag

e C

on

vert

er

So

cial

Co

nve

rter

Mo

bile

Co

nve

rter

ADGR OCS

App

Normalized Messages (EML)

Email Public IM OCS/Lync XMPP IM Trading / Market Data Social Media

Mobile


10

Regulatory RequirementsRULES FOR ELECTRONIC MESSAGE RECORDKEEPING

The Fundamentals: 1) Recordkeeping2) Supervision3) Audit

1. Recordkeeping IIROC Rule 29.7, MFDA Rule 5.1, National Instrument 31-103 (11.5) Requires capture, archive & preservation of electronic business records

Indexing of messaging & attachments Dedicated, tamperproof storage

Storage for easy search, retrieval & access Defined retention term (7 years or 5 years)

Serialize & date-stamp each message Message export capability


11

The Fundamentals:

1) Recordkeeping

2) Supervision

3) Audit

2. Supervisory Compliance IIROC Rule 29.7, MFDA Rules 2.5, 2.7, National Instrument 31-103 (11.1) Supervisory controls to detect & prevent regulatory violations

Message review flags defined by keywords, phrases & exclusions Search & Review across all message types Preserve message context & threads Ensure full audit trails to log User, Review & Auditor actions Enforcement of supervisory policies

Regulatory RequirementsRULES FOR ELECTRONIC MESSAGE SUPERVISION


12

The Fundamentals:

1) Recordkeeping

2) Supervision

3) Audit

3. Audit Considerations when producing data for regulators

Turnaround speed: need to furnish “promptly” – determine time required to export reviewer-defined data

Online access (Auditor login) vs. data extraction (FTP, PST, hard drive)Objective: to produce relevant data promptly

Attorney-client privilege flagging (pre-tag vs. manual) Metadata & BCCs; Distribution Lists

Vendor can provide support during Audits, Exams, litigation, eDiscovery

Regulatory RequirementsRULES FOR ELECTRONIC MESSAGE AUDIT & EDISCOVERY


13

Privacy & Data ProtectionSAFEGUARDING INTELLECTUAL PROPERTY

o End-to-end security: Data leak prevention Lock down USB drive access Endpoint security

o Message encryption Data In Transit:

Use SSL/TLS Protocols for login and authentication Ensure your firm & counterparties use mail servers with opportunistic TLS

transport Optionally deploy policy-based encryption for message transport (vendors

include Echoworx, ZixCorp, AppRiver, DataMotion) Note! Encryption technologies must support indexing and archiving of

messages Data At Rest in Archive:

Encrypt all messages with strong ciphers

For firms doing business in the US and internationally Global Relay houses all customer data in Canada (outside the reach of the USA

Patriot Act) Canada’s privacy laws make it an internationally recognized “data safe zone”


14

International Data Security & PrivacyCANADA: A DATA SAFE ZONE

The “Cloud” still has to be hosted somewhere…. oCanada is an internationally recognized “safe zone” for preserving data

Data is hosted in mirrored SSAE 16 Type II Data Centers in East/West coast of Canada

With customers in 90+ countries, Global Relay has deep experience in cross-border issues, including international legal, compliance, audit & eDiscovery matters

Data Privacy in CanadaoStringent data privacy and protection laws in Canada

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) governs personal information collected, used and disclosed by private sector companies in the course of commercial business

The European Commission has twice audited Canada’s privacy laws and determined that those laws provide protection equivalent or better than the European Privacy Directive

USA PATRIOT Act – Not a Concern for Global Relay CustomersoGlobal Relay hosts data in Canada, outside reach of the USA PATRIOT Act

Customer data held by Global Relay is not subject to direct data access demands by the U.S. government

Many large US and international financial firms select Global Relay on this basis


15

Social MediaCurrent StatisticsRegulatory Views Best Practices

15

Global Relay – Proprietary & Confidential

16

About LinkedIn#1 NETWORKING TOOL USED IN BUSINESS

Global Relay - Proprietary & Confidential

o Profile The only widely-recognized professional social networking tool $19B market cap; revenue from premium subscriptions, HR services & advertising Operating since 2003

o Stats 2.9 million companies have LinkedIn company pages 64% of users outside USA

o Growth Current growth rate: 2 new members per second, now at 225 million members

o Uses for Securities Dealers Finding with new clients & keeping in touch with existing ones Sharing news & insight with clients

17

About TwitterMICRO-BLOGGING PLATFORM


o Profile “Micro-blogging” tool where each communication is limited to 140 characters Content is largely public in nature Private company, $140M revenue from advertising Operating since 2006

o Stats 57% of Twitter users use mobile devices 350 million tweets per day being sent

o Growth Fastest growing social media platform, now at 200+ million active users

o Uses for Securities Dealers Reps can quickly share with people who choose to follow them Gather public insight about a particular product, sector or event

18

About Facebook#1 SOCIAL NETWORK WORLDWIDE


o Profile The world’s #1 social network $5B revenue (2012) from advertising Operating since 2004

o Stats 1.06 billion users; 618 million are active daily 81% of US social network users say Facebook is how they prefer to interact with

companies

o Growth 51% of Americans aged 12 and up use Facebook, a 538% increase since 2008

o Uses for Securities Dealers A forum for two-way dialogue with clients A platform for publishing news, events and articles

Sources: CloudTactix, SubmitEdge.com

19

How do regulators view Social Media?JUST ANOTHER FORM OF ELECTRONIC COMMUNICATION…

o FINRA’s mission: To protect investors by maintaining fairness in markets

o Same rules apply: Social Media falls under existing “media-neutral” requirements, including:• Recordkeeping: capture & preservation of electronic business records

o SEC Rule 204-2 (RIAs & Hedge Funds)o SEC Rule 17a-3 & 17a-4; FINRA Rule 3110 (Broker-Dealers)

• Supervision and enforcement of supervisory policieso SEC Rule 206(4)-7 (RIAs & Hedge Funds)o FINRA Rule 3010 & Regulatory Notice 07-59 (Broker-Dealers)

• Audit Readiness: Considerations when producing data for regulatorso Online access (Auditor login) vs. data extraction (FTP, PST, hard drive)o Turnaround speed: need to furnish “promptly” – determine time required to export

reviewer-defined data• Communications With the Public:

o Regulatory Notice 12-29 & FINRA Rule 2210 (Effective Feb. 4, 2013)o Specific to Social Media:

• FINRA Regulatory Notices 10-06 & 11-39• Before engaging in social media use, firms must be sure that they have technology to record and

retain these communications

19


20

Social Media ComplianceREGULATORY CONSIDERATIONS

Social Media is subject to the same regulatory requirementsfor electronic communications For example, IIROC Dealer Member Rule 29.7, plus SEC/FINRA Social Media requires compliant solutions. A few examples:

Type Deemed by IIROC

Examples ComplianceConsiderations

Public Profile Original Advertisement

Facebook ProfileLinkedIn Profile

Pre-ReviewAccess ControlsArchiving

Status Updates Interactive Electronic Forum

Twitter TweetsFacebook Status Updates

Access ControlsPre or Post-Review depending on your firm’s specific policiesArchiving

Email Electronic Correspondence

LinkedIn Messages

Access ControlsSupervision & MonitoringArchiving

21

…However, Note Key Differences with Social MediaNEW APPROACHES FOR NEW COMMUNICATION METHODS

o Categorizations of Social Media Communications• Static Content

o Static: content that remains posted until changed by the firm or individual; accessible to all site visitors. Requires principal pre-approval.

o Examples: Initial Tweets, Facebook Wall Posts, LinkedIn Network Updates

• Interactive Contento Interactive: real-time communication; requires supervision after the fact

(on a risk basis)o Examples: Email, IM, Facebook Wall Comments, LinkedIn Network Comments,

Retweets

• Linking to Third-Party Contento Firms are responsible for content of linked sites & what reps endorseo “Linking” or endorsing can trigger entanglement principles o SEC concept of “prominence and proximity” o Examples: Facebook “Likes”, Twitter “Retweets”, LinkedIn “Recommendations”

21


22

What About Mobile Devices?SOCIAL MEDIA TOOLS ARE THE MOST POPULAR SMARTPHONE APPS

o A ubiquitous pairing: Social Media & smartphones• More than one third of Facebook members access via smartphone• Mobile users are twice as active on Social Media

o FINRA: The communication, not the device, is determinative• Same rules apply for social media content on smartphones

o Mobile makes Recordkeeping more difficult• Make sure your social media compliance solution can capture social media

content generated on:o Mobile devices: smartphones, tablets (BlackBerry, iPhone, iPad, Android

etc.)o Home computerso Public computers (hotels, airport kiosks, etc.)

22


23

Social Media Compliance via Policy

Best practices for achieving compliant social media via policy

o Approval workflow: implement for social media For example, employees must seek CCO/Legal approval before posting certain social

media elements, such as a profile, credentials, referrals, advisor websites, preapproved content, etc.

o Training: provide social media compliance education for employees Make ongoing education mandatory for employees who use and review social media

o Limit use of your firm’s name and/or product names Decrease risks to your firm (such as data leaks)

o Prohibit social media communications that recommend investments or products Unless a registered principal has approved the content

o Revisit existing supervision frequencies & plans Ensure they are appropriate for social media

o Access: Select which social media sites employees can visit Restrict what is non-essential: home use, mobile devices


24

Social Media Compliance via Technology

Best practices for achieving compliant social media via technology

o Select a message archiving vendor that offers social media compliance capability Capture: Ensure the vendor has the capability to capture & retain all social

media data for each user Unify: Integrate social media data to your existing message archive alongside

other message types such as email, Bloomberg, BlackBerry, Thomson Reuters, Instant Messaging, etc.

Supervise: Leverage the supervisory capabilities within your archive – add social media messages to your firm’s message monitoring & review process

o Consider a third-party social media compliance tool to enforce policies Block/allow specific actions – for example, block Facebook Games or

LinkedIn Recommendations Specify activity permission per employee – for example, staff other than

registered reps have read-only access to social media sites

Conclusion: Social media is here to stay and if managed wisely, it can be a useful tool for your business.


25

Case Study: The Importance of Social Media ArchivingNETFLIX CEO REED HASTINGS’ & FACEBOOK DISCLOSURE


Situation:

•Netflix CEO Reed Hastings posted material information about the company on Facebook (a statistic about viewership)

•Did not file the same information in a press release or Form 8-K

•SEC investigated…

•SEC deems Social Media to be an appropriate channel for public information… so long as the public is told where to look

Lessons Learned:

•Social media is evolving from a marketing tool to a serious source of public information

•As with other communications with investors and the public, social media posts need to be captured and retained

26

Case Study: AP Twitter Account Hacked


Situation:

•AP’s Twitter account hacked by hostile group who claimed explosion at the White House

•136 Billion in market value quickly erased, before market rebounds

Lessons Learned:

•Twitter, and other social media, being used as a market data tool

•Password security on social media needs to be questioned and improved

27

Social Media Capture Requires Opt-In from Usero Opt-In & User Rights

A blurred line between personal & professional realms – e.g. LinkedIn profiles Unlike email, employees own & control most social media accounts Employees must opt in for social media archiving Privacy rights a concern: firms should not store employees’ passwords

Opt-In Flow – Global Relay Archive for Social Media


Viewing LinkedIn content in Global Relay ArchiveWITH HIGHLIGHTED CHANGES AND KEYWORD FLAGGING

28

29

What’s Next? New Social Media Sites & “Dual Uses”

29


30

Web ArchivingPOWERED BY PAGEFREEZER


o Create an archive for websites, blogs & social media pages in the cloud Continually creates digital snapshots of your web content, at the frequency you specify Supports dynamic content: audio, video, Flash, and more Very straightforward setup; archive any number of different websites

o Use the PageFreezer dashboard to scroll through an interactive timeline of your archived websites Choose one of the digital snapshots of your

website to brows & replay Search capability lets you pinpoint a specific

keyword or date

31

Web Archiving (continued)POWERED BY PAGEFREEZER


o View your website within PageFreezer’s interface An exact copy of your website as it appeared at a

specific moment in the past Dynamic content like video, audio, Flash, etc. is

re-playable in its original format

2) Due Diligence on Engaging a Vendor

Understanding Message Processing – You are AccountableKnow Your Vendor; SSAE 16/SAS 70 & Internal Controls


33

Message Archiving & AuthenticityIT’S ABOUT QUALITY, ACCURACY & COMPLETENESS

Fundamental message processing requirements

o Message log reconciliation Compare messages sent with messages received by archive Daily log reconciliation is a best practice Ensure all messages are received by archive

o Schema validation Ensure message content is accurate – for example, XML tags, headers &

bodies

o Write verification Ensure accurate message processing in the event of hardware/software

failures

o Malformed messages which fail to be accurately indexed & archived Sent to failure bin for analysis & remediation Forensic auditors check into this process


34

Due Diligence KNOW YOUR VENDOR

o Select vendors with experience in the financial sector

o Look for independent third-party validation SSAE 16 Type II / SOC I (Environmental Controls) Audited Internal Controls

o Evaluate vendors’ security, business & operational controls Physical Security

Change Management (Patches, Releases, Upgrades)

Network Security & Availability

Message Flow & Processing

Data Import, Extraction & Destruction

Security Policies & Standards

Personnel Policies & Procedures (e.g. background checks,

references)


3) Leveraging Your Archive

Audit & Litigation ReadinessBusiness Continuity & Disaster RecoveryEmployee Access from Web, Outlook, & Mobile


36

Additional Reasons to Archive MessagesLEVERAGING YOUR ARCHIVE: BEYOND COMPLIANCE

o Audit & Litigation Readiness Evidentiary-quality records Liability & HR considerations

o Long-term Storage & Message Management Employee convenience & productivity Retrieving historical & deleted messages

o Business Continuity & Disaster Recovery End-user access to messaging in the event

mail servers are down

o Employee Access to All Archived Message Types Outlook plug-in with archive access Smartphone apps to Search, View,

Recover, Reply, Reply All & Forward


BlackBerry, iPhone,

iPad, Android

Microsoft Outlook Plug-in

37 37

Thank You

Global Relay Offices Worldwide

Vancouver 604.484.6630

New York 866.484.6630

Chicago 866.484.6630

London +44.203.139.9064

Singapore +65.3158.1301

www.globalrelay.com

Warren RoyCEO

[email protected]

Shannon RogersPresident & General Counsel

[email protected]

Bryan YoungVice President, Sales

[email protected]

Additional Resources

oCompliance Solutions Guidebook Series

www.globalrelay.com

oKPMG Report on Global Relay Security, Business & Operational Controls

Contact Global Relay

oInformation Sheet on Data Discovery & Extractions

Contact Global Relay

1 global relay 7 may 2013 best practices for mutual fun dealers: archiving, data protection &...

Documents

global relay communications

message archiving vendor

service message archiving

global relay canadian

global relays service

global relays employees

saas archiving

technology compliance